[Enhancement]: aws_cloudformation_stack_set_instance DeploymentTargets

[mbainter]

Description

When deploying StackSets using aws_cloudformation_stack_set_instance the API provides a means to manage which accounts in the target OUs will receive the deploys.

Service-managed Stack Sets, can deploy to individual accounts with the accounts parameter, to all the accounts in specified OU, or a subset of accounts in the specified OU.

{
"Accounts": ["string", ...],
"AccountsUrl": "string", 
"OrganizationalUnitIds": ["string", ...] 
"AccountFilterType": "string"
}

You can specify a list of accounts, and then affect how that list is used with the filter type:

• INTERSECTION: StackSets deploys to the accounts specified in Accounts parameter.
• DIFFERENCE: StackSets excludes the accounts specified in Accounts parameter. This enables user to avoid certain accounts within an OU such as suspended accounts.
• UNION: (default value) StackSets includes additional accounts deployment targets.
• NONE: Deploys to all the accounts in specified organizational units (OU).

This is particularly important when using the SERVICE_MANAGED permission model, as you cannot target or exclude individual accounts with the resources currently provided. If you try to do something like what is in the documentation:

resource "aws_cloudformation_stack_set_instance" "example" {
  account_id     = "123456789012"
  region         = "us-east-1"
  stack_set_name = aws_cloudformation_stack_set.example.name
}

when using a SERVICE_MANAGED model you get a validation error:

Error: creating CloudFormation StackSet (example) Instance: ValidationError: StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target

Affected Resource(s) and/or Data Source(s)

• aws_cloudformation_stack_set_instance

Potential Terraform Configuration

resource "aws_cloudformation_stack_set_instance" "example" {
  deployment_targets {
    organizational_unit_ids = [aws_organizations_organization.example.roots[0].id]
    accounts = var.excluded_accounts
    account_filter_type = "DIFFERENCE"
  }

  region         = "us-east-1"
  stack_set_name = aws_cloudformation_stack_set.example.name
}

References

• https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DeploymentTargets.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/account-level-targets.html

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[michalz-rely]

This feature is really missing

[dylanmtaylor]

We really need this to avoid deploying a stackset to a couple of accoutns

[halberom]

This is related to issue https://github.com/hashicorp/terraform-provider-aws/issues/26917 and pr https://github.com/hashicorp/terraform-provider-aws/pull/26935

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.